mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
autopsy-flatpak/docs/doxygen-user/common_files.dox
Ann Priestman 74e35a20c9 Partway through common properties search docs
2018-09-27 09:24:12 -04:00

59 lines
2.9 KiB
Plaintext
Raw Blame History

/*! \page common_files_page Common Properties Search
\section common_files_overview Overview
The Common Properties Search feature allows you to search for multiple copies of a property within the current case or within the \ref central_repo_page.
To start a search, go to Tools->Common Properties Search to bring up the main dialog. Searching requires at least one of the following to be true:
<ul>
<li> The current case has more than one data source
<li> The Central Repository contains at least two cases
</ul>
A message will be displayed if both of these conditions are false.
\section common_files_search_types Common Properties Search Scope
Different parameters are needed for setting up the two types of searches. These will be described below.
\subsection common_files_intra_case Scope - between data sources in the current case
This type of search looks for files that are in multiple data sources within the current case. It does not require the Central Repository to be enabled, and currently only searches for common files. You must run the \ref hash_db_page to compute MD5 hashes on each data source prior to performing the search. The search results will not include any files that have been marked as "known" by the hash module (ex: files that are in the NSRL).
\image html common_files_intra_case.png
By default, the search will find matching files in any data sources. If desired, you can change the search to only show matches where one of the files is in a certain data source by selecting it from the list:
\image html common_files_select_ds.png
You can also choose to show any type of matching files or restrict the search to pictures and videos and/or documents.
Finally, if you have the Central Repository enabled you can choose to hide matches that appear with a high frequency in the Central Repository.
\subsection common_files_central_repo Scope - between current case and cases in the Central Repository
This type of search looks for common properties between the current case and other cases in the Central Repository. You must run the Correlation Engine ingest module on each case with the property you want to search for enabled, along with the ingest modules that produce that property type (see \ref cr_manage_properties).
\image html common_files_cr.png
\section common_files_results Search Results
\section common_files_usage Usage
To start, go to Tools->Common Files Search to bring up the following dialog:
\image html common_files_dialog.png
You can choose to find any files with multiple copies in the whole case, or specify that at least one of the copies has to be in the selected data source(s).
\image html common_files_data_source.png
You can also choose to restrict the search to only pictures and videos and/or documents.
Once the search is run, the matching files are displayed in the results tab. The results are grouped by how many matching files were found and then grouped by hash.
\image html common_files_results.png
*/
Reference in New Issue View Git Blame Copy Permalink